Confessions of an unexpected CIO

When an experienced chief information security officer took up a new role as CIO for a US Senate campaign, he found he had more to learn than he expected

Last year, I was approached with an interesting offer: a position as a CIO with a United States Senate campaign. The bulk of my 20-plus years career has been in information security and information security management. To be honest, the idea would have never occurred to me. I had often wondered what mystical qualities made a CIO, but was pretty certain that I did not posses them. After some coaxing from the campaigns executive management and discussions with colleagues, I decided to accept the position.

There is always a certain level of doubt when one takes on a new position. For me, those reservations usually centre on the corporate political environment and the personalities. I have few fears with my abilities as an information security executive. I am knowledgeable in the subject and, with my professional network, an expert in any particular information security discipline is just a phone call or e-mail away: I have never been shy about asking for help when I need it.

This position flipped the poles of my neatly ordered world. The corporate political environment and personalities were not new to me. I knew the candidate, had a long-standing professional relationship with the managing director and had previously worked with many of the executive staff. What I did not have was an extensive network of information technology executives to tap for advice. I was also uncertain as to the practical differences between the role of CIO and CISO. Did I have the mystical qualities of a CIO? I didn't know, what I didn't know - not my favorite place to be.

On my first day, some things became evident very quickly. The website and finance - as it happens two of the most important bits - were outsourced. There were few corporate laptops, the rest of the laptops were the personal property of each employee. The bulk of the printers were owned by the staff. Much of the infrastructure was cobbled together from various bits and pieces that had been barrowed, purchased, leased or were of undetermined status. There was no equipment, configuration, supplier or contracts databases to be found. On a good day this environment was going to be chaotic, while a bad day was going to bring to mind the Battle of the Somme.

I quickly realised that my most important priority was to keep the bulk of information flowing and available to campaign staff and volunteers, even at the risk of some information leakage. Take data entry, for example. A large amount of data needed to be entered into the campaign databases in a short amount of time. Some of this data is sensitive, some public record. Fortunately, the public record data comprised the bulk of it. This allowed us to use volunteers for data entry and do only limited vetting on them. Campaign staff were used for the more sensitive, low-volume data entry, as they had been through a proper vetting process.

I then had to narrow my security focus to protecting the sensitive information that we simply could not afford to leak under any circumstances. This was done with a combination of access controls, encryption and processes, which allowed us the flexibility we needed, while maintaining confidentiality, integrity, availability and accountability.

People have a natural tendency to focus on what they know, which is usually what they are good at and comfortable with. I had immediately started focusing on the security implications of the environment. Whenever working on a problem, I spend a great deal of effort trying to correctly determine the root cause. I have seen too much time and resources spent on solving problems that don't exist or weren't as they were initially perceived. My experience as a police officer taught me that, no matter how complete or detailed the initial report, it's not accurate. While going through this iterative process, it occurred to me that I wasn't looking at this from the perspective of a CIO but that of a CISO.

It was at that point that knew I needed to change my perspective and my priorities. The work processes and indeed many of the skills that I had used over the years in information security management were not significantly different from those used by a CIO. It was beginning to dawn on me that information security as a discipline wasn't special, it was part of a broad spectrum of disciplines that made up the whole of information technology. I had been too insular, too clubish in my thinking. There is no better cure for self-assured arrogance than a steep learning curve.

In information security management, setting priorities was nothing new for me. However, setting priorities for the whole information technology department was new. It made me wince a bit. I was starting to understand the CIO's perspective better. I remembered all those meetings with executive management and CIOs, requesting more resources for information security and not getting them.

While I wouldn't say the experience has turned me into a globetrotting, able to leap a server rack at a single bound, CIO, it did give me a new and better perspective. I learned that being a good CIO meant keeping everything - including my intuitive security instincts - in appropriate balance and aligned with the mission of the business. The purpose of information security was not to say, "No", but to determine the most business-friendly way to say, "Yes". The relationship between the CIO and CISO should be part of continually developing process which explores the needs of the organisation and the proper method of satisfying those needs using a holistic approach.

Unfortunately, the candidate was not successful in his quest to become a United States Senator, and I am now hoping to apply my new CIO perspective as a CISO somewhere out in the world. But CISOs, if you get a chance to stand in for your CIO or CTO when they're away I suggest you take it: it will change the way you think.

Richard Starnes is president of the Information Systems Security Association

Read more on IT risk management